Categories
- All Categories
- 15 Oracle Analytics Sharing Center
- 16 Oracle Analytics Lounge
- 216 Oracle Analytics News
- 43 Oracle Analytics Videos
- 15.7K Oracle Analytics Forums
- 6.1K Oracle Analytics Idea Labs
- Oracle Analytics User Groups
- 79 Oracle Analytics Trainings
- 15 Oracle Analytics Data Visualizations Challenge
- Find Partners
- For Partners
OBIEE Server in DMZ to support OBIEE Mobile Device App
Does Oracle support installing OBIEE in a DMZ for access to mobile devices connecting from the internet?
The install documentation mentions using vpn, and the architecture diagram only shows using a proxy, but I see nothing in any of the documents I have seen so far regarding installing OBIEE in a DMZ.
specifically interested in v 11.1.1.9.x but also in Oracles support policy in general.
Answers
-
What would be the difference for you between installing OBIEE in a DMZ, in your normal internal corporate network or on a server without network? Nothing really change for OBIEE : as long as the server has a name / ip and it can reference itself OBIEE is happy.
A DMZ is more about you and how you manage the various access : on one side you will have to open the required services for the users to connect to your OBIEE in your DMZ, on the other side you need to open connection between OBIEE and the various sources (DB) which are probably on your internal network.
Or do you mean something different by "OBIEE in DMZ" ?
0 -
Technically it is possible, and security and other mitigation could be put in place, however from an Oracle Support perspective they may not support the configuration. It has been my experience that oracle has typically not recommended exposing applications to the internet as a matter of policy not necessarily because it is not technically possible. In my previous experience I was told that applications were not tested or specifically hardened for external use, therefore Oracle would recommend against it, and would not support it. possibly a liability risk as well if they did support it.
0 -
Well, I can't say what the licensing contract clearly state as those papers sounds like Chinese and it's more a topic for your legal department.
From a practical point of view it's generally not a good practice to expose this kind solution to the external world directly. I would say it's not the main job of OBIEE to protect you against that.
So adding a proxy in front making sure to only expose the required pieces (in the end it's a web application) is a normal solution.
From a strictly support / certified configuration they can't really go to that point, or they will also start saying they only support white network cables and not other colors etc. So if you configuration is certified the support must not be a problem.
Of course if you expose OBIEE to the internet directly (all it's port) and you have issues because of tons of failed logins and so your system is slow or you get hacked because they manage to get a valid login you will not be able to blame the tool as it will be "your" fault.
That's where the proxy can help you, in addition to your firewalls to block session after some failed logins, protect you against DOS etc.
In the end I would say it's more about "good practice", to make the best you can to protect your system. The same is valid for an OBIEE on the internal network of a company: if you have 10K potential users you will also need to protect your system as you can't be sure they are all nice and not willing to damage you.
0 -
I also put in an SR, and Oracle Support responded very quickly.....
"This is a supported configuration, in fact, it is described in the Enterprise Deployment Guide ( 2.1 Overview of Enterprise Deployment Reference Topologies, https://docs.oracle.com/middleware/11119/bisuite/BIEDG/intro.htm#CJAIBGAC). Basically you install OHS in front of the BIEE servers and secure the application."
0
